1. Field of the Invention
An object of the present invention is a method for the management of an application program loaded into a microcircuit medium. In a preferred use, the microcircuit medium is a so-called electronic chip card that can be used for many other transactions. The invention is aimed at placing such microcircuit-based media at the disposal of numerous services which may be called card-issuing services because, with the electronic intelligence that they carry, these cards can be used to simplify the management of these services.
A microcircuit-based medium comprises, firstly, a medium, often constituted in the form of a card such as the credit card and, secondly, an electronic circuit provided, on the surface of the medium, with means of communicating with the external world. These communication means are often simple metallized surfaces which, besides, are connected to the microcircuit and permit electrical contacts. However, it is possible to organise a relationship between the external world and the electronic circuit that is without electrical contact: for example by means of electromagnetic transmissions.
In its broadest definition, a microcircuit of the type used in chip cards comprises, firstly, a microprocessor that is the true driving element of the card and, secondly, a set of memories having different functions. It can be assumed that a microcircuit such as this thus has three types of memory, even it is true that the functions and technologies of these memories can be intermingled to the point where it is difficult to distinguish between these memories. However, we may note the existence of a working random-access memory, called a RAM, the technology of which is often of a static or dynamic type. A microcircuit also has a read-only memory, called a ROM or, again, a program memory, containing the application program. This ROM normally cannot be programmed externally by the user and needs to be programmed either by masking by the manufacturer of the microcircuit or by the party who issues this card before subsequently preventing access, in writing mode, to this ROM (generally through the disruption of a fuse). A third known type of memory is the electrically erasable programmable read-only memory, for example of the EEPROM or FLASH EPROM type. These programmable memories enable the entering of data pertaining to the application: numbers, dates and times of the use of the card for the applications concerned, dates and amounts withdrawn from a bank account, and more generally data relating to the transaction. The ROMs and EPROMs are generally non-volatile.
The microprocessor is normally capable of carrying out the application programs contained in the ROM, either by directly reading the instructions to be carried out in this memory or by having previously prompted the transfer of these instructions into the RAM and by executing them from this RAM itself. Thus, there are two known types of microprocessor. The first type has an instruction capable of initialising the execution of the program on the first instruction contained in the ROM. The second type possesses an instruction capable of prompting this transfer. Both types can coexist in one microcircuit. In this case, one of these functions may be neutralised if necessary.
Several actors can be distinguished in the phenomenon of the use of the microcircuit cards. Firstly, there are microcircuit manufacturers, secondly there are card issuing parties and finally there are card users. The functions of the cards get reduced as and when they pertain to actors placed further down the line in this chain. This means that, for the microcircuit manufacturer, the electronic microcircuit potentially possesses all the possible internal programming capacity. The existence of this capacity can be expressed by the observation that none of the access limiting fuses has yet been disrupted. However, even if no fuse is involved, it can be assumed that, for the manufacturer, this potential capacity is not limited by a set of programming instructions proper to the microprocessor either.
Card-issuing parties, for example the banks, generally ask the manufacturer to make an unerasable programming of the applications that they need and that they wish their customers to possess, either by masking in a ROM or by software programming and by the subsequent disruption of the writing access fuse in an EPROM type memory. The first consequence of this is that the function of the microcircuit is fixed and that its use is limited to the application considered. However, the bank may think of developing its relationships with its customers by giving the card other functions. It may then do so, if only by turning to the manufacturer and asking him to make other cards with other masks. This is a lengthy process and one that lacks flexibility.
This manufacturing method has another drawback related to the fact that other services, for example social health organisations, car park management companies etc. have to adopt one and the same programming mode. The fact of using this same programming mode means that the burden of programming the applications in the microcircuits is borne by the manufacturer of the microcircuit.
Any other method would entail risks. The first risk is that one vendor of services could use his microcircuit programming tools to simulate the services of another vendor. For example, a car park management company could fraudulently seek to simulate a banking application. This risk would exist also among the manufacturers. Negligence during manufacture or during the delivery of the blank microcircuits to the issuing parties could result in ill-intentioned persons having, at their disposal, programmable microcircuits which could be given the functions of a particular card only to a partial extent and could be additionally given functions normally forbidden to it.
To overcome these drawbacks, there is already a known way, referred to here above, of making the manufacturer load the application into a ROM. The application is fixed from the very outset and can no longer be modified by any means. Another known possibility is that of loading application programs in programmable memories and subsequently limiting access to these memories in programming mode by the disruption of a fuse. It will be understood that the latter type of programming is favourably received by issuing parties because it is more flexible in its use. It will also be understood that this method of working is, nonetheless, more dangerous for the other issuing parties. For, although the manufacturer can limit the potential uses of the circuit, these limits can be circumvented in a perverse manner.
In the invention, it is proposed to resolve this problem by requiring that the application should protect itself. To do this, in this application, there is additionally included an encrypting program entrusted with establishing a signature on the basis, firstly, of a secret code proper to the card and, secondly, of the instructions of the application program itself. If this encrypting program is not included in the application itself, it nevertheless exists and should be triggered, periodically, by the microprocessor. Its action relates to the instructions of the application. This signature is then itself loaded into the data memory of the card. This signature is therefore quite legible in this memory. The card thus includes the secret code and the signature in its program memory. In its program memory, the card has, firstly, the application program (all the instructions of this program) and, secondly, an encrypting algorithm identical to the one with which the signature has been prepared. The application may be stored in an erasable programmable memory. The encrypting algorithm is stored only in an unprogrammable read-only memory. The function of this algorithm is limited to the computation of the signature, and it cannot prompt the writing of this signature in the data memory.
When it is desired to use the card, it is then enough, at each use, to ascertain that the new computation of the signature, on the basis of the instructions of the program and of the secret code, is truly equal to the already recorded signature. Under these conditions, the entire potential of the cards can be placed at the disposal of all the card-issuing parties. None of them will be able, whether inadvertently or by ill intention, to partially simulate the application of another card-issuing party. The card will have to be simulated at least in its totality. When the card is simulated in its totality, fewer risks are attached to it since the use must comply with the one assigned by the issuing party.
To make the system perform even more efficiently, it is possible to envisage bringing the reader, with which the card is in a relationship of communication, into play in the verification process. For, the encrypting algorithm takes account successively of the binary information elements contained in the instructions of the application program. With this sequence of instructions and with the secret code, it computes the signature. It is possible, however, during this encrypting operation, to introduce another binary sequence from the reader, tending to modify the signature, provided that this binary sequence was also entered when the signature was inserted into the card. It is seen that the application is completely protected, firstly by the secret code of the card and, secondly, by the limiting of the instructions of the application program which is strictly followed and, finally, by the action of the card-issuing party.
In the last-mentioned case, it is even possible to modify the signature. This modification is done on the initiative of the card-issuing party. He may decide, for example that, from a certain date onwards, the binary sequence introduced by the readers will be different. During the first insertion of a card in a reader following this decision to modify the binary sequence, the reader recognises the existence of the former signature and, after the card has been validated, and according to a protected protocol, this reader reprograms a new signature in the card, which will be used for subsequent verifications.